Skip to content

Warden: code-review #459

Description

@github-actions

Warden Scheduled Scan Results

Run: 2026-07-13T07:20:06.275Z
Commit: 3e42f4b

Summary

Severity Count
High 2
Medium 4
Low 1

Findings

src/mcp/tools/project-scaffolding/scaffold_ios_project.ts

  • W84-9RY orientationToIOSConstant never matches schema values (L44-L56) · high
    The schema accepts lowercase kebab-case orientations ('portrait', 'landscape-left', 'landscape-right', 'portrait-upside-down'), but this switch matches PascalCase ('Portrait', 'LandscapeLeft', ...). Every case falls through to default, so the raw kebab-case string is written into INFOPLIST_KEY_UISupportedInterfaceOrientations, producing invalid Info.plist values like landscape-left instead of UIInterfaceOrientationLandscapeLeft.

src/utils/xcodemake.ts

  • UKP-67W Downloaded xcodemake script executed without integrity verification (L62-L76) · high
    installXcodemake fetches a shell script over HTTPS from a mutable main branch, writes it to a world-readable temp directory, chmods it 0755, and then executes it. There is no checksum/signature verification and the temp path is predictable, so a compromise of the upstream repo or a local attacker with write access to os.tmpdir()/xcodebuildmcp could achieve code execution in the user's build context. Consider pinning to a commit SHA and verifying a SHA-256 hash of the downloaded content before chmod+exec.

src/utils/debugger/backends/lldb-cli-backend.ts

  • 6NC-BVY resume() leaves unread output that pollutes the next command (L83-L91) · medium
    resume() writes process continue but never emits a sentinel or drains output, so any text LLDB prints (including error: lines if continue fails) stays in this.buffer and is captured as the previous output slice by the next runCommand's sentinel match — leading to spurious assertNoLldbError failures or incorrect parsing (e.g. breakpoint id regex).
  • PJB-CB8 Unescaped interpolation of file/name/condition into LLDB commands (L97-L118) · medium
    spec.file, spec.name, and opts.condition are interpolated directly into LLDB command strings; a value containing " or \n can terminate the argument and inject arbitrary LLDB commands (which include platform shell and script, i.e. arbitrary code execution) if these inputs are ever attacker-influenced.

src/utils/nskeyedarchiver-parser.ts

  • YER-YWX ActiveRunDestination extraction silently fails when ActiveScheme is absent (L132-L135) · medium
    findDictWithKey is called with activeSchemeIdx, so when ActiveScheme is missing (index -1) but ActiveRunDestination exists, the parent dict lookup returns undefined and the function returns an empty result — defeating the earlier || guard.

src/utils/template-manager.ts

  • DUT-AXP process.chdir mutates global CWD affecting concurrent operations (L102-L116) · medium
    Using process.chdir(tempDir) changes the working directory for the entire Node process. Any concurrent tool invocation (e.g. another build/xcodebuild command running in parallel via this MCP server) will observe the wrong CWD until the finally block restores it, causing hard-to-debug failures. Consider passing a cwd option to the command executor for unzip (e.g. unzip -d <tempDir> <zipPath>) instead of mutating global state.

src/utils/device-name-resolver.ts

  • QWN-36A Synchronous devicectl call blocks event loop (L26-L30) · low
    execSync blocks the Node.js event loop for up to 10 seconds while xcrun devicectl runs, which can stall other MCP requests. Consider using an async execFile variant and awaiting it in callers.

Generated by Warden

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions